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Flash file structu 



Header 



9 



Tags 



9 



Signature (3 bytes) 

© FWS: Normal Flash File 

9 CWS: Compressed Flash File 

Version(l)/ 

FileLength(4)/FrameSize(RECT)/ 

FrameRate(2)/FrameCount(2) 



Short Tag 

9 TagCodeAndl_ength(2): Type(10 
bits)/ Length (6 bits) 

Long Tag 

© TagCodeAndLength(2): 

Type (lObits) / Length (6bits) value 
should be 0x3F 

e Length(4): Actual Length 



Header (FWS|CWS, ... ) 



ag (Type, Length, 
Data) 

Tag (Type, L6 
Data) 




ngth, 



Data) 



Do ABC ta 




Type = 82 

• This tag contains AVM2 bytecode. 

• AVM2 bytecode contains logic for Flash files. 

• Some Flash files don't require any special actions - this tag can be 
missing in that case. 




Virtual Machine for ActionScript3 



e 



e 



Runs bytecode generated by ActionScript 3. 
Creates JITed bytecode on the heap 

© JITed means the code is actually native 

Creates potential risks 

« If the JITed code is messed up, it could lead to code execution conditions 
® Verification process required to block potentially dangerous control flows 



AVM2 has been a popular target for attack since 2010 



Vulnerabilities 




Simple deduction 

9 



9 
9 



Usually, software has vulnerabilities 

Application VM is software 

Usually, application VM has vulnerabilities 



Post-mortem a 



Debugging application VM issues is extremely hard when compared to 
debugging traditional applications. 



* 



All logic is encapsulated inside the Virtual Machine 

© Vulnerabilities usually occur as bugs in the JIT code generation 

e Manually debugging and tracing invalid JIT code generation is not practica 
(in anyway). 



• Many malware are loaded dynamically inside carrier SWF, which means 
the potential for static analysis is limited. 



How to solve these problems? 

AVM INSTRUMENTATION 



tecode instru 



• Change the bytecode so that we can use it for our purposes 



9 



© 



Code coverage investigation 

9 Utilizing debug output instruction 
9 Utilizing debug instructions 

Hooking classes: Sandboxing AVM bytecode 

9 Bytecode loading classes 
e Network- related classes 
© Data allocation classes 




* Adobe engineers have internal tools to analyze vulnerabilities. This research is mainly for those 
of us analyzing SWF malware or bugs who need more powerful tooling. 



Examples 

CODE COVERAGE 



INVESTIGATION 

CVE-2011-0609: AVM JIT CODE GENERATION 
ERROR 




Using debug output instructions or debug instructions 

• Insert trace instructions in every function and basic block, or even for 
each instruction 



9 



trace = printf in Actionscript 



Insert debugfile and debugline instructions to make the binary 
debuggable 

© debugfile, debugline = int 3 



CVE-2011-0609 



The control flow modification made the JIT engine create invalid 
instructions 

The instructions are created to work with object type A, but the 
instructions are getting object type B 

This is a JIT code generation issue. 



Security Advisory APSA11-01 published March 14, 2011 

Patch released 7 days later 



Breakina contro 



Original Control Flow 



Modified Control Flow 



CO 




CD 



c 



1 



3 




i 




CD 



CD 



CZD 




CD 



1. A block is split into Al and A2 

2. B -> C control flow has been changed to B -> 



Breakina contro 



Original 



Mutated 



K^ S 



get lex com.greensock.TweenLite 

get property rootFramesTimeline 

coerce com. greensock. core. SimpleTimeline 

jump loc_524A 



s 



±±jl 



get lex com-greenso^k^rrtiJeienLite 
getproperty rojxtFT^amesTimeline 
coerce cojiKljreensock .core .SimpleTimeline 
jump ^<foc 3ECE 



Li ^ S 



loc_524A: 

coerce com. greensock. core. SimpleTimeline 

setlocal_3 

getlocal_0 

getlocal_3 

getproperty cachedTotalTime 

get lex com. greensock. cor e:TweenCore. delay 



i 



U 



s 



getlocal_0 

pushtrue 

init property cachedReuersed 




I 



i 



k-5 S 



Inn q?fiQ- 



getlocalO 
getproperty uars 



getproperty <namespace_set> .paused 
iffalse locret 5277 








loc_3ECB: 
getlocalO 
getproperty u 



* f 




loc_3ECE: 

getproperty <namespace_set> .paused 

iffalse locret 3ED9 



A is split into Al and A2 
New control flow B -> A2 is 
created. 




Bytecode 




i 



k-5 S 



getlocalO 

pushtrue 

initproperty cachedReuersed 



J 



i 



li ^ g 



loc_5269: 

getlocal_0 

getproperty uars 

getproperty <namespace_set> .paused 

iffalse locret 5277 



U 



JIT Code 



eax, ds:766B2F8h 

ecx 

esi 

766B2E8h 

eax 



eax 

near ptr 
esp, h 
eax, eax 
short loc 7DF 



■ >A S 



nou eax, [ebp+uar_58] 

nou duord ptr [eax+1Ch], 1| 




t£3 



loc 7DF: 

mou eax, [ebp+uar_5B] 

mou ecx, [eax+34h] 

cmp ecx, 4 

jb short loc_866 




■ 4 s 


nou 


eax, 


ds:766B310h 


push 


ecx 




push 


esi 




push 


766B300h 


call 


eax 




add 


esp, 


OCh 


push 


eax 




call 


near 


ptr | 


add 


esp, 


h 


nou 


ecx, 


esi 


nou 


esi, 


[ebp+uar_78] 


nou 


edx, 


eax 


lea 


eax, 


[ebp+uar_fi8] 


test 


edx, 


edx 


jz 


short loc_84E 



Mutated Loaic 



JIT Code 



eax, [ebp+var_50] 
award ptr [eaa+icii], il 




loc_7Eti: 

now eaw, [ebp+var_2i 

test eax f eax 

jz short loc_868 



Bytecode 




s 




U e3 



get lex com.greensock.TweenLite 
getproperty rootFranesTimeline 
coerce com. greensock .core .SimpleTimeline 
jump loc_3ECE 



loc_3ECB: 
getlocalO 
getproperty uars 




ii 




Split Basic Block 





loc_3ECE: 

getproperty <namespace_set> .paused 

iffalse locret 3ED9 



Code aeneration 




The code generation 

takes path A 
to generate JIT Code 



loc_3ECB: 

getlocalO 

getproperty 




Path B 



loc_3ECE: 

getproperty <namespace_set> .paused 

iffalse locret 3ED9 



Get property <namespace_set>. paused is confused as to what type of variable 
it will get as a 1 st argument 
• Com.greensock.core.SimpleTimeLine or vars property type (declared as var 
vars:Object) 
The code is generated to comply with the com.greensock.core.SimpleTimeline 
type instead of the object type 




* For every SWF disassembly example in this presentation, we used our colleague, 
Marian Radu's excellent SWF disassembler plugin for IDA. For more information, 



^ /AWMtt^JdlkJ^]ii 7i^aETran7^ 



Actual code run 




get lex com_greensock.Tweenl_ite 
getproperty rootFranesTimeline 
coerce com.greensock.core.SimpleTimeline 
jump loc_3ECE 



loc_3ECB: 
getlocalO 
getproperty uar 




ti 



s 





"he actual control flow is Al to A2 



loc_3ECE: 

getproperty <namespace_set> .paused 

iffalse locret 3ED9 



The actual control flow is Al to A2. 
This is a problem because: 

• The JIT code is expecting B -> A2 control flow 

• The A2 code is expecting the com.greensock.core.SimpleTimeLine data 
type, but it's getting the data type from the vars variable 

This leads to an invalid memory access vulnerability 

• With a heap spraying technique, this can be used for code execution 




Common a 



II 



roach - 




SWF diffing 

© If you can obtain an original template of the SWF file fuzzing, then you can 
use SWF diffing to get the difference between them 

© This is very helpful in determining the cause of VM failure 



When a new 0-day Adobe Flash file is found, you can search for the 
original Adobe Flash file used for the fuzzing. 

• You can get clues from the disassemblies that show unique symbols from 
the source code. 

® The symbols represent component names which may be unique 



Common a 






eax=06ddfc41 ebx=06dedb08 ecx=06e06040 edx=b805f20b 
esi=06ded7a8 edi=05ee31d8 



eip=06elb58e esp=0013e0b8 ebp=0013el50 iopl=0 
na pe nc 

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=000 
ef I =00040206 

06elb58e 8b4a70 mov ecx,dword ptr [edx+70h] 

ds:0023:b805f27b=???????? 



nv up ei pi nz 




• 



• 




Problems 



• If a template is not available, you have no luck performing differentia 
analysis of the sample. 



• With JIT level debugging, it is very hard to find which part of the AVM 
code is actually related to the crash. 



• Code coverage or control flow tracing is needed - 
Instrumentation solves this problem 



Header 



Malicious 
AVM tag 



Tags 









1. Dissection of AVM tag 
structure & methods 



2. Instrumentation of 
instructions 



Instrumented 
SWF 



3. Reinsertion into original file 






Instrumented AVM tag 



Instrumentin 



i 



u ^ s 



findpropstrict trace 



pushstring "BasicBlock: 25" 
callpropuoid trace, 1 



getlocalO 

pushtrue 

initproperty cachedReuersed 



kJ s 



findpropstrict trace 



pushstring "BasicBlock: 22" 
callpropuoid trace, 1 



getlex com.greensock.TweenLite 
getproperty rootFramesTimeline 
coerce com.greensock.core.SimpleTimeline 
jump loc_4E10 



Ld k-5 S 



loc_4E03: 
findpropstrict ace 



ii 



Ld m* H3 



loc 4E10: 
findpropstrict trace 



pushstring "BasicBlock: 27" 
callpropuoid trace, 1 



getproperty <namespace_set> .paused 
iffalse loc UE2F 




Added debugging 
messages By 
instrumentation 



pushstring "BasicBlock 
callpropuoid trace, 1 



getlocal_8 
getproperty uars 



a s 



1 



findpropstrict trace 



pushstring "BasicBlock 
callpropuoid trace, 1 



28" 



getlocalO 
pushtrue 
initproperty paused 



I 



UJ h-5 S 



loc_4E2F: 
findpropstrict trace 



pushstring "BasicBlock: 29' 
callpropuoid trace, 1 



returnuoid 

> // TueenCore.TweenCore 



After runnin 



• 




Entering: [314, 279, 194, 72, 1, 56, 72] 

Entering: [314, 279, 194, 72, 1, 56, 72, 1] 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:2 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:3 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:5 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:7 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:8 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:10 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:11 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:12 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:13 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:14 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:15 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:16 

BasicBlock: [314, 279, 194, 72, 1, 56, 72, 1]:18 

Leaving: [314, 279, 194, 72, 1, 56, 72, 1] 
Leaving: [314, 279, 194, 72, 1, 56, 72] 
Leaving: [314, 279, 194, 72, 1, 56] 
BasicBlock: [314, 279, 194, 72, 1]:19 
BasicBlock: [314, 279, 194, 72, 1]:21 
BasicBlock: [314, 279, 194, 72, 1]:23 
BasicBlock: [314, 279, 194, 72, 1]:24 
Entering: [314, 279, 194, 72, 1, 73] 
Leaving: [314, 279, 194, 72, 1, 73] 
BasicBlock: [314, 279, 194, 72, 1]:26 
BasicBlock: [314, 279, 194, 72, 1]:27 <- The last line shows the crash point 



Locatina the era 



i 



U M 



findpropstrict trace 

pushstring "BasicBlock: 25" 

callpropuoid trace, 1 

getlocalO 

pushtrue 

initproperty cachedReuersed 



a m 



f indpropstrict trace 

pushstring "BasicBlock: 22" 

callpropuoid trace, 1 

getlex com.greensock.TweenLite 

getproperty rootFramesTineline 

coerce com.greensock.core.SimpleTimeli 

jump loc_4E10 



nel 



i 



Ld k4 fcS 



loc_4E03: 

f indpropstrict trace 

pushstring "BasicBlock 

callpropuoid trace, 1 

getlocal_8 

getproperty uars 



26' 



ii 



Ld m @ 



1UL 411 I U , 



findpropstrict trace 
pushstring "BasicBlock: 27" 
callpropuoid trace, 1 
npfni'nnpi'tn ^n^mpqnjrp ^pf> _n^n^pf1 



iffalse loc UE2F 




BasicBlock: [314, 279, 194, 72, 1]: 
27 
-> Crash Point is BasicBlock 27 






LH K-i S 



findpropstrict trace 
pushstring "BasicBlock 
callpropuoid trace, 1 
getlocalO 
pushtrue 
initproperty paused 



28" 



1 



M *A B 



1 



loc_4E2F: 

findpropstrict trace 

pushstring "BasicBlock: 

callpropuoid trace, 1 

returnuoid 

> // TueenCore.TweenCore 



29" 



Call stack trace 



pushstring "BasicBlock: 27" 

callpropvoid trace, 1 

getproperty <namespace_set>. paused 



public constructor TweenCore.TweenCore (Number, Object) 

• • • 

findpropstrict trace 
pushstring "Entering: 1" 



public constructor SimpleTimeline.SimpleTimeline (Object) 

• • • 

pushstring "Entering: 72" 
callpropvoid trace, 1 



public constructor TimelineLite.TimelineLite (Object) 

• • • 

pushstring "Entering: 194" 
callpropvoid trace, 1 



public constructor TimelineMax.TimelineMax (Object) 

• • • 

pushstring "Entering: 279" 
callpropvoid trace, 1 



public method MainTimeline.framel () 

• • • 

pushstring "Entering: 314" 
callpropvoid trace, 1 



BasicBlock: [314, 279, 194, 72, 1]: 27 


<* 








^ 
{ 




V 




^ 
^ 




< 





Examples 

DE-OBFUSCATION BY AVM 
CLASS HOOKING 

CVE-2011-0611: AVM1 EMBEDDED INSIDE AVM 
CODE ^ 



Hookina classes - 




Class hooking 

© Bytecode loading classes 
© Network-related classes 
© Data allocation classes 



You can run the code inside a complete sandbox you create with a 
the actual operations wrapped and virtualized. 

o This is very useful for behavioral analysis 



Obfuscated AVM 



Many exploits use obfuscated VM instructions to conceal their 
intentions. 

Many AVMl-based malware use heavy obfuscation. 

© Now, AVM obfuscation is a headache to malware analysts as much as 
JavaScript obfuscation. 



• CVE-2011-0611 



© Security Advisory APSA11-02, published April 11, 2011 

« Patch released 4 days later 




Container 



Layer 1 SWF 



Layer 2 SWF 







Container file contains layer 1 SWF 

• Layer 1 SWF contains layer 2 SWF 

• Layer 1 SWF loads heap spray shellcode on the memory and load layer 
2 SWF to exploit the vulnerability 

With layer 2 SWF, it only triggers the vulnerability, and is not able to 
execute anything. Usually harmless in itself. 




Layer 1 SWF 



Heap-sprayed 
payload 



# Layer 2 SWF 
vulnerability trigger 



Invalid memory access 




00002E00 
00002E10 
00002E20 
QQQQ2E3Q 
QQQQ2E4Q 
00002E50 
QQQQ2E6Q 
QQQQ2E7Q 
00002E80 
QQQQ2E9Q 
QQQQ2EAQ 
QQG02EBG 
QQQQ2ECQ 
00002ED0 
00002EE0 
00002EF0 
00002F00 
00002F10 
00002F20 
00002F30 

nnnn?F4n 



46 57 53 OA. 75 27 00 00 
78 00 05 5F 00 00 OF AO 00 00 18 01 00 44 11 08 
00 00 00 43 02 FF FF FF EF 15 OB 00 00 00 01 00 



f'JfUu' . 



x 



53 63 65 6E 65 20 31 00 00 BF 14 1A 27 



00 01 



00 00 00 00 10 00 2E 00 80 02 CI 82 85 8A 04 FC 

97 02 B4 Al FO BA 04 87 8E 83 30 8C A2 D2 93 03 

C7 D9 AA 98 01 E2 F3 AO B8 04 C7 8E 8F EC 07 98 

E4 BF 64 90 8E 9D 8E 06 BE 87 El B8 04 8F EC C8 

E5 01 AO 8E 9D 9E 01 C7 83 88 FD 02 E6 AE Al B9 

04 C7 8E FF 6F 8B 8F EE E4 02 C7 83 AC CA 01 FO 
FB El B9 04 94 D7 90 E7 03 E9 9F CE B9 07 Al C9 
81 9E 03 80 80 80 80 03 80 96 D2 80 04 8E Dl AF 
84 01 BB F3 8B 07 91 A2 AO 40 C3 8E B3 A3 06 BO 

80 BO 23 86 96 CE 02 EA DO AF 04 AO DO E7 OA E2 

81 80 28 89 81 CF 01 FD 96 C2 A9 04 BO 8A 8D E4 

05 8D 9A AO 23 F5 FE C7 88 01 84 AA FD 87 03 80 
D4 81 DO 06 82 D4 81 DO 6 C5 9 6 82 DO 06 D5 FE 
C3 82 03 EA 80 A8 A3 03 EA 80 A8 03 C5 96 C2 22 
83 Al FF C7 03 80 96 02 80 EO CI E8 03 EA E4 D6 
I'.S EA 34 A8 03 BO 8A AD 04 B4 AA FD 87 05 84 D4 



u 1 . . 

.D. . 



. . . C . yyyi .... 
Scene 1 . . i . . ■ 

■ ■■■■■■ t ■ ri £ ...i_i ■ u 
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e " °S ' a v* 
.¥1. S . .. . F&. . CM ' &€. 



1. Look for 'FWS' or 'CWS' SWF signature strings inside. 

2. Cut out and save the part after the signature. 




pushstring "4657530ACC05000078O0055F00000FA000001801 004411 000000003FO3A7050000960C0005000795C37C1307FB 

C37C130E129D02004C049D020018008815000900410042004300440045004600470048004900A18E110064656661756C74000100042A00020O9 
801960A000758C0494807A73FB6B7609D02O00000990200490040960500071674700B4C629D02000C00870100O31787010001960A0007EB6821 
4E071497DEB1609D020000001787010001960A000791FC361fl076E03C9E5609D02000000990200150O960D0001 00O000000301 000000O008009 
9 O20OA2FF1 796 06 OO01101 0402 08 01 UE 4896 OAO007DD7FUD61 07228 0B29E6 09D 02 00O00O1 29D 02 00E8 0099 0200B8 0O960A OO07 08U6322DO7F7B9 
CDD26O9D020000005226960D00O403 0401 0701 00O00O04O2 08 0252960500078EA0597B4C629D0200130096050007030000000B960500O7FF536 
F084C629D02000A00960700070100000008001C960A000744FA2E4007BB05D1BF609D0200000096020008035247960500076091982F4C629D02 
000B00870100031796020004O1960500072582FB444C629D020009O05 08701 0001179902003900960A00070724072807F8DBF8D7609D02O0000 
0960B 000401 07 01 0000000402 08 0499 02 0O48FF96 0A 0007 0B 0311 37 07F4FCEEC86 09D 02 00000099 02 O0F4FE96 02 00040396 05 0007AEO8382A4C 
629D 02 0004O03E96 09 O008 05 01 000000O008 06403C99 02 0075 0096 OA O007 0F4C2D4B07FOB3D2B46 09D 02 00O00O1 C96 07 0OO8 07 07640000O04F1 
C960A00074E52230207B1ADDCFD609D020000004D52171C4D96050007C855C5754C629D0200050052173D1C960B0008080809070100000O080A 
3D1C960200080B4E990200380096050007C3FE9F0F4C629D02000BO09621 0008 OC 07 01 00O00008 OA 08 0D 07 01 0000O008 OE 08 05 08 OF 07 01 O0000 
0080E0805080599020075FF4F960900080C0701000000080A9605000785588C354C629D020007003D1C9605000787257C684C629D020O070096 
02 00081 08E 08 000000000229 001 D 0096 09 0001 000000000401 08 0896 05 00071 8DFD97B4C629D02 00OA 00521 796 0AO0076C68C94O07939736BF6 
09D020000004F990200C00040960A0007A178062C075E87F9D3609D020000003C403C960A00073D9AF23B07C265ODC4609D020000001C4D523C 
960A0007C31F7D37073CE082C8609D020000001C4D5296050007E60BB7554C629D02000B00171C4D52171C4D960AO0074ABC7E7807B54381876 
09D0200000052171C96050007E3DD9D1E4C629D0200OD004D5296050007AAA57E4A4C629D02000C00171C4D96050007B35B3E624C629D020001 
00521 71 C4D521 796 0AO007A91CO65A0756E3F9A56 09D 02 00O00O99 02 00E3 01 96740OO1 00000000O81 10812 07 01 0000O0081 3 07 02 000000O81 40 
81 5081 6 07 01 0000OO08 OE 08 05 0817 07 01 00O0O008 0E 08 05 081 8 07 01 0O00O008 0E 08 05 081 9 07 01 0000O0O8 0E 08 05 081 A01 00000000O81 O081B 08 
1BO6000000001 0111111 0701 00000O081C081D06FB2109404AD8124D 07 01 000000081C990200C4FE960500070CF54E154C629D020O0F00960A0 
007E91B883F07661C883FOE129D02O044018824011EO0537472696E67O06C656E6774680063686172436F646541740O66726F6D43686172436F 
64650063686172417400636173650054657874466F726D61740073697A6500635F66756E0O566B6475686752656D686677317375727772777C7 
3680064656661 756C740067657453697A65O047647768317375727772777C7368 007777727375727740772B7468 006765745465787445787465 
6E74007A777377337375727772772B74680067657444617900676574466F6E744C69737400546578744669656C64004D617468O063726561746 
5456D7074794D6F766965436C6970007468697300497352756E6E696E67007365744D6F6465004C6F6164566172730O67657444657074680063 
6173652OO02 063617365004461746500636F6E74696E7565004C129902001100962701FB68DB39D55473340F46409E661299020070FAO040000 
00O ,,A M 



3. The copy & paste line starts with "465753"(FWS) or 
"435753"(CWS). Convert it to binary. 



Obfuscation 




Container 



Layer 1 SWF 



Obfuscated layer 2 SWF 




Obfuscated payload 





getpr 
pushd 
callp 
getlo 
getpr 
pushd 
callp 
getlo 
getpr 
pushi 
callp 
getlo 
getpr 
pushd 
callp 
getlo 
getpr 
pushd 
callp 
getlo 
getpr 
pushd 



operty Jitegg 

ouble 3.324286724e9 

ropuoid writelnt, 1 

cal rB 

operty jitegg 

ouble 3.4149937B6e9 

ropuoid writelnt, 1 

cal rB 

operty jitegg 

nt Bx61BFB9FB 

ropuoid writelnt, 1 

cal rfl 

operty jitegg 

ouble 4.251381145e9 

ropuoid writelnt, 1 

cal rB 

operty jitegg 

ouble U.27855ii623e9 

ropuoid writelnt, 1 

cal rB 

operty jitegg 

ouble 4.294967231e9 



callpropuold writelnt, 1 

findpropstrict Encrypt 

getlocal rB 

getproperty jitegg 

callpropuoid Encrypt, 1 

getlocal r1 

getlocal rB 

getproperty jitegg 

callpropuoid <namespace_set>.loadBytes, 1 

getlocal rB 

getlocal rB 

getlocal r1 

callproperty addChild, 1 

setproperty childRef 

returnuoid 

} // CMYK. explode 



Copy & paste doesn't work. 



You need to calculate the 
actual byte representation of 
all the integer and double 
values here. 



er 2 SWF 




getproperty length 



setlocal r2 
pushint B 
conuertu 
setlocal r3 



1 



LH h4 @ 



loc_112D: 
label 

getlocal r3 
getlocal r2 
lessthan 
iffalse loc 1166 



A S 



getlocal r1 
getlocal r3 
getlocal r1 
getlocal r3 
setlocal r4 
dup 

getlocal r** 
swap 
getlocal r** 



nn 



hJi 



getproperty <namespace_set> .<runtine_name> 

pushshort BxFF 

bitxor 



coerce_a 

dup 

setlocal rU 

setproperty <namespace_set> .<runtine_name> 

getlocal rU 

kill rh 

setproperty <namespace_set> .<runtine_name> 

nop 

getlocal r3 

increnenti 

conuertu 

setlocal r3 

jump loc_112D 



al 



loc_1166: 

nop 

kill r3 

kill r2 

returnuoid 

} // CMVK. Encrypt 



How to solve the 



usca 



ue of 




Method 1: Inserting dump code 



Method 2: AVM insertion 



Insertin 






88881F9E 


4F 


81 


81 


callpropuoid writelnt, 1 




eoeeiFAi 


62 


88 




getlocal r8 




888B1FA3 


66 


82 




getproperty jit egg 




88881FA5 


2D 


38 




pushint 8X61BFB9FB 




88881FA7 


4F 


81 


81 


callpropuoid writelnt, 1 




888B1FAA 


62 


88 




getlocal rB 




888B1FAC 


66 


82 




getproperty jit egg 




8B8B1FAE 


2F 


8D 


82 


pushdouble 4.251381145e9 




888B1FB1 


4F 


81 


81 


callpropuoid writelnt, 1 




8B881FB4 


62 


88 




getlocal rB 




8B8B1FB6 


66 


82 




getproperty jit egg 




888B1FB8 


2F 


8E 


82 


pushdouble 4.278554623e9 




888B1FBB 


4F 


81 


81 


callpropuoid writelnt, 1 




8B8B1FBE 


62 


88 




getlocal rB 




888B1FC8 


66 


82 




getproperty jit egg 




88B81FC2 


2F 


8F 


82 


pushdouble 4.294967231e9 




B8BB1FC5 


4F 


81 


81 


callpropuoid writelnt, 1 




88B81FC8 


5D 


88 




Findpropstrict Encrypt 




88881FCA 


62 


88 




getlocal rB 




88B81FCC 


66 


82 




getproperty jitegg 




88B81FCE 


4F 


88 


81 


callpropuoid Encrypt, 1 




B8B81FD1 


62 


81 




getlocal r1 




88B81FD3 


62 


88 




getlocal rB 




BBBB1FD5 


ftft 


(|p 




optnronprtu 




88B81FD7 


2A 






dup 




88B81FD8 


5D 


24 




Findpropstrict Dump 




888B1FDA 


2B 






swap 




88B81FDB 


4F 


24 


81 


callpropuoid i, 1 




88B81FDE 


29 






pop 




B8B81FDF 


29 






pop 




88B81FEB 


62 


88 




getlocal rB 




8B8B1FE2 


62 


88 




getlocal rB 




8B881FE4 


62 


81 




getlocal r1 




888B1FE6 


46 


1D 


81 


callproperty addChild, 1 




BB881FE9 


61 


11 




setproperty childReF 




888B1FEB 


47 






returnuoid 




888B1FEB 








} // CMYK. explode 



Problems 




Stack level calculations 
• Not fully controlling the class or member functions inside 



A better method? 




Class can be hooked 

• Every class resolution is through name 

• The name is contained in a multi-name table 

• By modifying the multi-name table, you can redirect every ca 
specific class to your own class 



to a 



Problem: 



How can you create your own class in the target SWF? 



Gene insertion 







Chromosome B 





Chromosome A 




Chromosome A Chromosome B 



AVM insertion 








Original SWF 



AVM tag with hook functions 





Library SWF 




Library SWF Instrumented SWF 



AVM insertion 




Analysis target with 
modified class name 



AVM with hook class 



Library SWF Instrumented SWF 



sis taraet with 



Original malware 



Ld kjJ H 



public method CMYK. explode () 

{ 
getlocalB 

Dushscooe 



findpropstrict flash. display .Loader 
constructprop flash. display. Loader, 
coerce a 



setlocal r1 



to 



getproperty jitegg 

pushdouble 4.B76BB811iie9 

callpropuoid writelnt, 1 

findpropstrict Encrypt 

getlocal rB 

getproperty jitegg 

callpropuoid Encrypt, 1 

getlocal r1 

getlocal rB 

getproperty jitegg 

callpropuoid <namespace_set>.loadBytes, 1 

getlocal rB 

getlocal rB 

getlocal r1 

callproperty addChild, 1 

setproperty childRef 

returnuoid 

} // CMYK. explode 



^ooA: 



es Pa Ce 
our 

class 



lash.display.Loader Class 




Instrumented malware 




Ld *A m 



public method CMYK. explode () 

{ 

getlocalB 

pushscope 

findpropstrict trace 

pushstring "Entering: 2" 



findpropstrict LoaderHook 
constructprop LoaderHook, B 
coerce a 



setlocal r1 



getproperty jit_e^q* • 

pushdouble 4.076008114e9 

callpropuoid writelnt, 1 

findpropstrict Encrypt 

getlocal rB 

getproperty jitegg 

callpropuoid Encrypt, 1 

getlocal r1 

getlocal rB 

getproperty jitegg 

callpropuoid <namespace_set>.loadBytes, 1 

getlocal rB 

getlocal rB 

getlocal r1 

callproperty addChild, 1 

setproperty childRef 

findpropstrict trace 

pushstring "Leauing: 2" 

callpropuoid trace, 1 

returnuoid 

> // CMYK. explode 




oaderHook Class 



AVM with hook 




ou 




package { 

import flash. display.Loader; 

• • • 

public class LoaderHook{ <- This is the hooking class name 

• • • 

private var loadenflash. display.Loader <- Our loader to call the original loader 

• • • 

public function loadBytes(bytes:ByteArrayHook, context:LoaderContext = null):void 
{ 

• • • 

trace( "Loader.loadBytes" ); 

Dump( bytes.byteArr ); <- Dump the bytes to a log file 

loader.loadBytes( bytes.byteArr, context ); <- You can call the original class member 
or you can just skip it. If you skip it layer 2 SWF will never be loaded. 

• • • 

} 




public 

debugf i 

debugli 

getloca 

pushsco 

debug 

debug 

debugli 

getloca 

callpro 

pop 

debugli 

findpro 

pushstr 

callpro 

pop 

debugli 

findpro 

getloca 

getprop 

callpro 

pop 

debugli 

getloca 

callpro 

pop 

debugli 

returnu 

> // Lo 



method LoaderHook.loadBytes (ByteArrayHook, LoaderContext) :uoid 



le 

ne 0x49 

1_0 

pe 
1, "bytes", rO, 0x49 
1, "context", r1, 0x49 

ne 0x4B 

1_0 

perty LoaderHook.UpdateOrig, 







ne OxUD 

pstrict trace 

ing "Loader-loadBytes" 

perty trace, 1 

ne OxUE 

pstrict Dump 

11 

erty byteflrr 

perty Dump, 1 

ne 0x52 

1_0 

perty LoaderHook.UpdateThis, 

ne 0x53 

oid 

aderHook.loadBytes 







Generating these 
instructions manually 
without using the AVM 
insertion technique would 
be a nightmare. 



************************************************ 



46 57 53 OA 
00 00 18 01 
00 96 OC 00 
OE 12 9D 02 
00 41 00 42 
00 49 00 Al 

00 04 2A 00 
07 A7 3F B6 
40 96 05 00 
87 01 00 03 
4E 07 14 97 

01 96 OA 00 

02 00 00 00 
00 03 01 00 
06 00 04 01 



CC 05 00 00 78 00 05 5F 00 00 OF AO 
00 44 11 00 00 00 00 3F 03 A7 05 00 
05 00 07 95 C3 7C 13 07 FB C3 7C 13 
00 4C 04 9D 02 00 18 00 88 15 00 09 
00 43 00 44 00 45 00 46 00 47 00 48 
8E 11 00 64 65 66 61 75 6C 74 00 01 
02 00 98 01 96 OA 00 07 58 CO 49 48 
B7 60 9D 02 00 00 00 99 02 00 49 00 
07 16 74 70 OB 4C 62 9D 02 00 OC 00 
17 87 01 00 01 96 OA 00 07 EB 68 21 
DE Bl 60 9D 02 00 00 00 17 87 01 00 
07 91 FC 36 1A 07 6E 03 C9 E5 60 9D 
99 02 00 15 00 96 OD 00 01 00 00 00 
00 00 00 08 00 99 02 00 A2 FF 17 96 
04 02 08 01 4E 48 96 OA 00 07 DD 7F 



Getting layer 2 SWF takes at least a few hours without 
bytecode instrumentation 



Conclusion 



Just like native binaries, bytecode binaries can be instrumented. 
Binary instrumentation helps analysts to speed up their analysis. 



• In a real world situation, this method makes the analysis process up to 
several times faster. 



w 



You can apply the same methodology to other VMs. We can use th 
methods to perform quicker analysis of malware that abuses 
application VMs. 



Be what s next. 
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